Opening / Closing

Matt Suiche, Comae Technologies

Matt Suiche is the founder of Comae Technologies and OPCDE.

Reversing the Octagon: Next-Gen Windows Security

Dave Weston, Group Manager, Windows team, Microsoft

David Weston is a group manager in the Windows team at Microsoft, where he currently leads the Windows Device Security and Offensive Security Research teams. David has been at Microsoft working on penetration testing, threat intelligence, platform mitigation design, and offensive security research since Windows 7. He has previously presented at security conferences such as Blackhat, CanSecWest and DefCon.

Reversing the Octagon: Next-Gen Windows Security

Alex Ionescu, Vice President of EDR Strategy, CrowdStrike

Alex Ionescu is the Chief Architect at CrowdStrike, Inc. Alex is a world-class security architect and consultant expert in low-level system software, kernel development, security training, and reverse engineering. He is coauthor of the last two editions of the Windows Internals series, along with Mark Russinovich and David Solomon. His work has led to the fixing of many critical kernel vulnerabilities, as well as over a few dozen non-security bugs.

Previously, Alex was the lead kernel developer for ReactOS, an open source Windows clone written from scratch, for which he wrote most of the Windows NT-based subsystems. During his studies in Computer Science, Alex worked at Apple on the iOS kernel, boot loader, and drivers on the original core platform team behind the iPhone, iPad and AppleTV. Alex is also the founder of Winsider Seminars & Solutions Inc., a company that specializes in low- level system software, reverse engineering and security trainings for various institutions. In the last three years, he has also contributed to patches and development in two major commercially used operating system kernels.

Exploring the Safari: Just-In-Time Optimizations

"Apple Safari has a JavaScript engine with a rather simple name, JavaScriptCore, however the engine itself is anything but simple. One common feature within JavaScript interpreters is to have a just-in-time (JIT) engine to increase performance of the executed JavaScript. JavaScriptCore takes an interesting approach to this by supporting multiple tiers of optimization levels, even allowing for switching between them within a single function depending on collected statistics.

As with other JIT engines, the optimization strategies employed by Safari's JIT engine have also resulted in a number of vulnerabilities. The downside to applying typical compiler optimizations in order to JIT compile custom user-supplied code is that basic assumptions can be broken.

This talk will cover low level internals of JavaScriptCore before going over a few JIT vulnerabilities as well as how they were patched."

Jasiel Spelman, Security Researcher, Zero Day Initiative

WanderingGlitch is a security researcher with Trend Micro’s Zero Day Initiative (ZDI). In this role, he analyzes and performs root-cause analysis vulnerabilities submitted to the program, which represents the world’s largest vendor-agnostic bug bounty. His focus includes performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. He has presented at numerous security conferences including Black Hat, DEFCON, REcon, Power of Community, and BreakPoint. When not researching the latest bugs in software, WanderingGlitch enjoys rock climbing and playing musical instruments.

COINHOARDER: Tracking a Ukrainian Bitcoin Phishing Ring DNS Style

With the price of Bitcoin ascending to new heights in 2017, the rocketing valuation of cryptocurrencies continues its momentum into 2018. Evidence of the massive growth of these digital assets can be seen in the massive spikes in new clients at companies like Coinbase, adding 100,000 users in a 24-hour period, and Binance, which recently expanded its user base by 240,000 users in just one hour.

The financial industry and Silicon Valley are not the only groups who have caught the cryptocurrency fever. Crypto has brought all new degrees of criminals to the watering hole from nation-state to large scale organized crime syndicates. Malicious actors have discovered that cryptocurrency newbies are unwitting targets that offer a consistent stream of revenue. Through our global network visibility, Cisco has observed many of these attacks originating from bulletproof hosting infrastructures located in the Eastern European region. This area is a hotbed for crypto theft and other computer crimes such as ransomware, botnets, DDoS services and credit card fraud. Some criminals have even extended beyond the digital world by kidnapping and demanding ransoms in Bitcoin, such as the case in the reported kidnapping and ransom of Pavel Lerner. Lerner was a lead analyst at Ukraine-based digital currency exchange, Exmo, who was released by his kidnappers after a $1 million Bitcoin payment was made. The event illustrates the desperate lengths some criminals will go in order to steal cryptocurrency.

Joining the Enterprise Ethereum Alliance in 2017, Cisco is committed to protecting these new crypto technologies. Over the past year Cisco researchers have teamed up with the Ukraine Cyber Police to track a Bitcoin phishing operation dubbed the ""Coinhoarder"" campaign that has been tied to the theft of tens of millions of dollars worth of Bitcoin. Cisco has detected these campaigns with its state of the art web content classification which leverages topic modeling and natural language processing algorithms to predict malicious sites and infrastructures. We will also talk about how Google Ads was abused as the primary delivery vector for these attack, and how Cisco has teamed up with Google to help diagnose and remedy the problem. We also will talk about the increase in SSL certificates used by phishing sites over the past year and how criminals are evolving their tactics to make their sites nearly indistinguishable from legitimate sites.

Credential phishing continues to be one of the biggest security challenges for internet users, and cryptocurrency phishers have found it to be a very lucrative form of attack. In 2017, Chainalysis reported Ethereum phishing as being the number one source of theft in that ecosystem with estimates placing the total amount stolen at $115 million. Google also recently published a research paper stating credential phishing is one of their top security challenges. Cisco has been proactive in detecting phishing domains in predictive fashion to help protect our customers. Additionally, we have been working with security personnel at top cryptocurrency wallets and exchanges, such as Blockchain.info, Coinbase, ShapeshiftIO, MyEtherWallet to help protect the cryptocurrency community members from having their tokens stolen. Additionally Cisco is working with multiple major law enforcement teams stateside and international to track these criminals. Also Cisco has working closely with Google to help diagnose the problem with Google Ads and Cloudflare to identify the large scale abuse of the SSL certificates, helping to save millions of tokens from being hijacked.

Jeremiah O'Connor, Cisco Security

Jeremiah O'Connor is a senior research engineer on the Cisco Security Team where he focuses on building scalable threat detection models, threat intelligence, and writing software to solve real-world security problems. His current interests are in machine learning, natural language processing, distributed systems, cryptocurrency security, and big data security research. Prior to joining Cisco, he worked at Evernote, Mandiant/Fireeye, and Uber. Jeremiah earned a Master's Degree in Computer Science from University of San Francisco in 2014. Jeremiah presented his research at many conferences including ISOI APT Conference, Source Security Conference, Blackhat Asia 2016, Data By the Bay, Cisco's Prague Data Science Summit, and at text mining and security meetups in San Francisco. In his free time, Jeremiah enjoys health and fitness, martial arts, reading, and hanging out with his friends and family.

The Baseband Basics: Understanding, Debugging and Pwning Mediatek Communication Processors

iOS and Android devices have become increasingly hardened over the years, but a soft underbelly exists in both platforms: the baseband processor. The baseband - which is responsible for GSM, 3G and LTE communications - handles extremely complex and bug-prone code, has privileged access to the main processor, and is almost completely unexplored by attackers and defenders alike.

And while bugs in baseband processors for Samsung and iPhone devices have received some limited attention in the past, a whole range of devices - such as Tecno and Oppo, extremely popular in Kenya and other African and Asian countries - have a different baseband processor which has remained totally unexplored by security researchers. Until now.

In this talk, we will review the attack surfaces available on the Mediatek baseband. Then, we will showcase a platform which can uniformly debug a range of different basebands in a generic and portable way, and demonstrate the usage of this platform on several baseband types.

Finally, we will demonstrate a baseband bug in Mediatek, review how exploitation is possible, and show a possible escalation strategy to achieve full code execution in the main processor itself.

Nitay Artenstein and Charles Muiruri

Nitay Artenstein is a security researcher in the fields of reverse engineering, exploit development and vulnerability research. His fields of interest include Windows kernel exploitation, reverse engineering embedded systems and bug hunting in the Linux kernel. For the past two years, he has been working mainly on exploiting Android devices. He suffers from a severe addiction to IDA Pro (at least until radare come up with a decent decompiler), and generally gets a kick out of digging around where he's not supposed to. His most recent public work is the Broadpwn vulnerability, presented in Black Hat USA.

Charles Muiruri is a security researcher with a passion for reverse engineering, exploit development and vulnerability research. He has previously presented his research at OPCDE Dubai."

Program Analysis on Smart Contracts

This talk will cover modern technology for finding bugs in smart contracts with methods including fuzzing, static analysis, and symbolic execution. There will be a quick introduction, which will explain what smart contracts are and some unique features they have, then the rest of the talk will focus on how to adapt traditional program analysis concepts to this new domain, with a strong focus on finding real world bugs. Techniques will be demonstrated with actual bugs, found in the wild, that have cost people untold millions.

JP Smith, Trail Of Bits

JP is a security engineer at Trail of Bits focused on program analysis, cryptography, and verification. He develops Echidna, the only existing fuzzer to target smart contracts and regularly speaks about his work at conferences across the globe. In his free time, he enjoys travel, biohacking, and chess.

A Walk With Shannon: A walkthrough of a PWN2OWN Baseband exploit

Mobile devices have become quite complicated in the past 10 years. Today they feature a number of embedded chips which are tasked with handling things such as Wifi, Bluetooth and cellular communications. These chips run firmware with which a malicious third party can interact over the air but unfortunately have not had enough scrutiny from the security community. This talk will focus on the Samsung Shannon Baseband and how it was successfully exploited at Mobile Pwn2Own 2017. First, we will give an overview of cellular technologies (GSM, 3G, 4G) from a security standpoint. Then we will delve into the internals of the Shannon Baseband and show how to identify vulnerabilities that are exploitable over the air. Finally we will show how to exploit one of these vulnerabilities in order to get code execution on the baseband chip of the Samsung Galaxy S8.

Amat Cama, Independant

Amat is an independent security researcher based in Senegal. He has previously worked as a Penetration Tester at Virtual Security Research, a Research Assistant at the University of California, Santa Barbara Seclab, a Product Security Engineer at Qualcomm and a Senior Security Research at Beijing Chaitin Technology Co.. In 2016 he won a hall of fame prize at Geekpwn Shanghai for his demo of a remote exploit against the Valve Source Engine.


Trail Of Bits

Ecosystem partner